(C//REL) Internet Anonymity 2011
Total Page:16
File Type:pdf, Size:1020Kb
MAT A Sek-13-5-c.pdf, Blatt 1 (C//REL) Internet Anonymity 2011 •NSA (S31323) NSTS TOP SECRET//COMINT REL TO USA,FVEY • MAT A Sek-13-5-c.pdf, Blatt 2 (C//REL) What is Internet Anonymity? (U) Many Possible Meanings/Interpretations (S//REL) Simply Not Using Real Name for Email (S//REL) Private Forum with Unadvertised Existence (S//REL) Unbeatable Endpoint on Internet (S//REL) This Talk Concerns Endpoint Location (S//REL) The Network Address (IP Address) is Crucial (S//REL) It is Not Always Sufficient, However • (S//REL) Dynamic IP Address • (S//REL) Mobile Device TOP SECRET//COMINT REL TO USA,FVEY fx *• MAT A Sek-13-5-c.pdf, Blatt 3 (C//REL) What is Internet Anonymity? (S//REL) Anonymity Is Not Simply Encryption (S//REL) Encryption Can Simply Hide Content (S//REL) Anonymity Masks the MetaData and hence association with user (S//SI//REL) Importance of MetaData to SIGINT post-2001 can not be overstated (S//REL) There is also anonymity specifically for publishing information (S//REL) Beyond the Scope othif s Talk! (U) Anonymity is the antithesis of most business transactions (but encryption may be crucial) (U) Authentication for monetary exchange (U) Marketing wants to know customer well (U) The same goes for Taxing Authorities :-) TOP SECRET//COMINT REL TO USA,FVEY fx *• (C//REL) WhMATo A Sek-13-5-c.pdf, Want Blatt 4 s Internet • (U) All Technology is Dual-Use - (U) Nuclear Weapon to Plug Oil Well - (U) Homicide by Hammer • (U) Internet Anonymity for Good - (U) Anonymous Surveys (Ex: Diseases) - (U) Human Rights Bloggers - (U) HUM I NT Sources TOP SECRET//COMINT REL TO USA,FVEY (C//REL) WhMATo A Sek-13-5-c.pdf, Want Blatt 5 s Internet Anonymity? (U) Internet Anonymity for Bad (Semi to Really) (U) Copyright Violators (File Sharing) W (U) Internet Scam Artists (U) Pedophiles (C//REL) Foreign Intelligence Agents (S//REL) Terrorist Actors (Our Concern) (U) Both Cases Use Internet Anonymity Technology (IAT) TOP SECRET//COMINT REL TO USA,FVEY (S//REL) InterneMAT A Sek-13-5-c.pdf,t BlattCensorship 6 : A • (U) Different Scenario - (U//FOUO) User IP Address known - (U//FOUO) User Blocked from accessing certain site IP Addresses - (U//FOUO) Users get around it with Circumvention Technology - Mostly the same as Internet Anonymity Technology (IAT) •« - -—•— TOP SECRET//COMINT REL TO USA,FVEY MAT A Sek-13-5-c.pdf, Blatt 7 (C//REL) Types Of I AT (S//REL) Single Hop Proxies - (S//REL) Web Site Proxies - (S//REL) HTTP/SOCKS Proxies (S//REL) Browser Configured to Access (S//REL) Proxy Aggregator Sites for Both - (S//REL) May support SSL/TLS • (S//REL) HTTP Sites: Only User ~ Proxy • (S//REL) SSL Sites (HTTPS) (S//REL) Transparent (Just Pass the Bits) - (S//REL) Man-in-the-Middle (MITM) TOP SECRET//COMINT REL TO USA,FVEY MAT A Sek-13-5-c.pdf, Blatt 8 (C//REL) Types Of I AT: HTTP P roxi es/Aa aregators (S//REL) Web-Site Proxy Aggregator sites (S//REL) May list thousands of proxies (S//REL) Taxonomy may be country where hosted (S//REL) Taxonomy may be ego/business related (S//REL) Taxonomy may be proxy software related (S//REL) Taxonomy may be provider related (S//REL) Proxy Information IS Temporal (S//REL) Requires active confirmation (S//REL) Requires revisits •« - •— TOP SECRET//COMINT REL TO USA,FVEY MAT A Sek-13-5-c.pdf, Blatt 9 (C//REL) Types Of I AT: HTTP P roxi es/Ag a reg ato rs (S//REL) Web Proxy Sites (and Aggregator sites) - Info We Want • (S//REL) Domain Name (obvious :-)) • (S//REL) Associated IP address(es) (S//REL) Can get live (psiookup, host, dig, etc) (S//REL) Can maybe get internally (Foxtrail, NKB, etc.) • (S//REL) "Exit" IP address (where does user appear?) (S//REL) Obtaining manually easy (http://checkip.dyndns.org) (S//REL) How to Automate? (S//REL) Proxy Discoverer (Originally S31323) (S//REL) Other miscellaneous (cookie modification, SSL support, etc.) •« - -—•— TOP SECRET//COMINT REL TO USA,FVEY MAT A Sek-13-5-c.pdf, Blatt 10 (C//REL) Types Of I AT: HTTP P roxi es/Ag a reg ato rs (S//REL) Web Proxy Aggregator sites Analysis (S//REL) Proxy Discoverer (S//REL) Scrapes Aggregator (ie www.proxy.org) (S//REL) For each proxy, GET • (S//REL) Iterate over software, variations (S//REL) Glype, PHProxy, CGIProxy, ASP.NET, cURLProxy, Surrogafier, Zelune *-• (S//REL) Try multiple times • (S//REL) Aggregator may give software hints (S//REL) Failure may indicate sit edown, or proxy SW modification (S//REL) Results from Proxy Discoverer must bridge low->high (S//REL) Operationalized by NAC/RONIN with NTOC support (project PONTENTPOTABLES) (S//REL) See SDC2011: •« - •— TOP SECRET//COMINT REL TO USA,FVEY MAT A Sek-13-5-c.pdf, Blatt 11 (C//REL) Types Of I AT (S//REL) VPN Anonymity Providers (S//REL) Provider may offer multiple servers • (S//REL) Different Sovereign Nations (S//REL) Different Bandwidths (S//REL) Most fee based: Can vary on time/number o fservers (S//REL) May offer multiple VPN protocols (S//REL) PPTP (No client software) (S//REL) SSH viw'S -:-fl\ C"- (S//REL) OpenVPN (S//REL) L2TP/IPSEC (S//REL) SSTP (S//REL) Communications User <- Server Encrypted TOP SECRET//COMINT REL TO USA,FVEY 11 MAT A Sek-13-5-c.pdf, Blatt 12 • (S//REL) VPN Anonymity Providers (S//REL) Plethora of providers (I found about 200) (S//REL) 12VPN, Ace VPN, Air VPN, AiwaysVPN, Ananoos, AnoCentral, Anonine, Anonyproz, AnonymityNetwork, Anonymizer, Anti-Hadopi, Arethusa, ArtofPing, Astritt, BananaVPN, BeeVPN, BlackLogic, BlackVPN, BolchVPN, BuyProxyService, Change-Mon-IP, Cienen, CtearVPN, ConnectlnPrivate, ConnectionVPN, CrackIP, Cryptline, Cryptocioud, CyberGhostVPN, DarknetVPN, DrakkerVPN, DoubleVPN, ExpressVPN, Eztun, FBVPN, FtashVPN, FQVPN, Freedur, FreeVPN, GateVPN, GoldenFrogVyprVPN, GoTrusted, HappyVPN, HidelPVPN, HideMyAss, Hideway, High- Speed-VPN, HostSpotVPN, HotspotShield, lAPSSecurityStore, ibVPN, IdealVPN, InvisibteBrowsing, iOpusiPig, IPJET, Ipredator, ItsHidden, Ivacy, IVPN, Ksecure, KeyVPN, Kryptnet, LamniaVPN, LeVPN, LibertyVPN, LifeVPN, Linkideo, Loki, MadVPN, MetroPipe, MicroVPN, MonkeyVPN, Mullvad, MyOpenGateway, MyVPN, Overplay, oVPN, PacketlX, PC-Streaming, PerfectPrivacy, Privacy.io, Privacyti, PrivacyTunnet, PrivatelntemetAccess, PrivateVPN, PRQtunnel, PublicVPN, PureVPN, Retakks, RemoteVPN, RoadWarriorVPN, RootPanama, RoxNetworks, SaferSurf, SecretsLine, SecureNetics, SecureSwiss, SecureTunnel, SecureVPN, SlickyProxy SmaliVPN, SofanetSofaLINK, SteganoslnternetAnonymVPN, StrongVPN, SuperVPN, Surf Bouncer, SurfoNym, SurfRescue, SwissPVN, SwitchVPN, TheSafety, Tiggerswelt, tonVPN, Trackbuster, trilightzone, TorrentFreedeom, Tunnelr, TUVPN, UkiVPN, UltraVPN, UnbiockVPN, USAIP, VIPAccounts, VIPVPN, VPN4ALL, VPNDeutschtand, VPNDog, VPNGates, VPNMaster, VPNonline.ru, VPNPrivacy, VPNProNet, VPNSeek, VPNSteel, VPNSwiss, VPNtraffic, VPNTunnel, vpntunnel.se, VPNSecure, VPNod, VPNout, VPNWortd, VyprVPN, Witopia, WortdVPN, WOWVPN, XeroBank, xtra-vpn, YourFreedom, YourPrivateVPN •« - •— TOP SECRET//COMINT REL TO USA,FVEY 12 MAT A Sek-13-5-c.pdf, Blatt 13 • (S//REL) VPN Anonymity Providers (S//REL) Range of Sovereign Nations/Localities in this set huge! (S//REL) Multiple Cities in more popular countries • (S//REL) Most fee based: Can vary on time/number o fservers (S//REL) Most notable exception: Hotspot Shield (Provider AnchorFree) » (S//REL) Advertising supported » (S//REL) Multiple OSINT reports of "most popular" (S//REL) About a half dozen others claim they are free (S//REL) Package deals (Europe, any 3 servers, etc.) sometimes available • (S//REL) Poster child for location selection: I APS (www.intl-alliance.com) (S//REL) AE, AG, Al, AM, AN, AQ, AT, AU, AW, BB, BD, BG, BM, BR, BS, BZ, CA, CH, CL, CN, CO, CR, CU, CY, DK, DO, EE, EG, FJ, GB, GD, Gl, GL, GR, GT, HK, HU, ID, IE, IL, IN, IR, IS, JM, JO, JP, KN, KP, KR, KW, KY, LC, LI, LU, MA, MC, MH, MK, MN, MT, MX, MY, Nl, NO, NP, NZ, OM, PA, PE, PF, PG, PH, PK, PR, PS, PY, QA, RO, RU, SA, SB, SC, SE, SG, SI, SK, SN, TC, TH, TR, TV, TW, UA, US, UZ, VA, VE, VG, VI, VU, ZA, •« - •— TOP SECRET//COMINT REL TO USA,FVEY 13 MAT A Sek-13-5-c.pdf, Blatt 14 (C//REL) Types Of I AT (S//REL) VPN Anonymity Providers (S//REL) Search of SIGINT Forensics Lab Holdings for OpenVPN (S//REL) Using SNAPE Portal (S//REL) OpenVPN specifically because a client is required (S//REL) Listing is just name of IAT provider (S//REL) HotSpot Shield (S//REL) Steganos Anonymous VPN (S//REL) Securenetics (S//REL) General references to using OpenVPN products (S//REL) Several references to IP address only: Need more products in RONIN\ TOP SECRET//COMINT REL TO USA,FVEY 14 MAT A Sek-13-5-c.pdf, Blatt 15 (S//REL) VPN Anonymity Providers (S//REL) What "we" want (S//REL) Server enumeration (S//SI//REL) SIGINT: Obvious - target using such a service » (S//SI//REL) One hop, so enough coverage means success! (S//SI//REL) Compliance: FAA - Is target in US is important! (S//REL) Exploiting User VPN traffic (S//SI//REL) Very case by case » (S//SI//REL) Coverage (may need 2 sided collection) » (S//SI//REL) Protocol (may or may not have vulnerabilities) » (S//SI//REL) Settings (implementation important) » (TS//SI//REL) "Collateral" - NCSC, TAO, FISA, etc. » (S//SI//REL) Request sent to CES if important •« - •— TOP SECRET//COMINT REL TO USA,FVEY MAT A Sek-13-5-c.pdf, Blatt 16 (C//REL) Types Of I AT (S//REL) VPN Anonymity Providers (S//REL) Server enumeration (S//SI//REL) Manual work with Covered Internet (Linux/Windows) (S//SI//REL) Sometimes info derived from documentation (S//SI//REL) Sometimes need to access service (S//SI//REL) May be a trial version to get "seed" (S//SI//REL) Even if paid may only get some servers (S//SI//REL) Some providers give you the works, YMMV (S//SI//REL) Try to minimize work! (S//SI//REL) Try to extend seed(S//REL) (S//SI//REL) DNS "Pattern", ex.